The Membership API is new to ASP.NET 2.0. It provides you with a full-fledged infrastructure for managing and authenticating users of your applications. ASP.NET 2.0 shipped two Membership providers, SQL Server and Active Directory. While plenty of articles and blog posts have been published on how to use the SQL Server Membership provider, very few have been done for the Active Directory Membership provider. I was recently leading an enterprise web site project that required the Active Directory authentication. I just thought it might be interesting to share with you a few bullet points of using Active Directory Membership provider in ASP.NET 2.0.

In this blog post, we will implement the AD authentication in an ASP.NET web site by completing the following four steps.

Create a web app with a login page

Configure the web app to use forms authentication

Add the ActiveDirectoryMemebershipProvider into the web app

Manager users with ActiveDirectoryMemebershipProvider

Create a web app with a login page

Open Visual Studio 2008, create a new Web Site named FormsAuthAD. After the web site is created, add a new web form named "Login.aspx", and then place a Login control onto the form.

If the web.config file was not created, go ahead and add it to the project. Locate the <authentication> element in the web.config file, and then change the mode attribute to Forms. Add the <forms> element as the child of the <authentication> element, set the loginUrl, defaultUrl, name and the timeout attributes as shown in the following example.

<authenticationmode="Forms">

<formsname=".ADAuthCookie"timeout="10"

loginUrl="Login.aspx"defaultUrl="Default.aspx">

</forms>

</authentication>

The <authorization> element is also required to make the forms authentication work. Add the following <authorization> element beneath the <authentication> element in the web.config file.

<authorization>

<denyusers="?"/>

<allowusers="*"/>

</authorization>

What's happening here is we are allowing only authenticated users to access the app. The "?" indicates unauthenticated users and the "*" indicates all users.

Add the ActiveDirectoryMemebershipProvider

The ActiveDirectoryMemebershipProvider can be configured by specifying memebership settings in the web.config file. First of all, we need to add a connection string that points to the Active Directory user container. The domain name of my home lab is called dotnetinspirations.com, so my connection string looks like this:

Note the connectionStringName is set to the name "ADConnectionString" we specified earlier. An interesting point here is we overwrote the defaultProvider attribute to "DomainLoginMemebershipProvider", which is defined in the <providers> element. We have to overwrite this attribute because the machine-level default MembershipProvider points to SQLMembershipProvider, using the localhost\SQLExpress instance, and that's the default provider used by ASP.NET.

In this example, I have all the control over my own dotnetinspiration.com domain and I logged into the Active Directory as the administrator. If you are running this application in a less flexible environment, you need to obtain an domain account that has sufficient permissions in Active Directory. If you do not specify account credentials (connectionStringName and connectionPassword), Active Directory uses your ASP.NET web app's process account, which typically has fairly low priviledges, and you may not be able to test all the features of the application.

Up to this point, we are ready to test the Active Directory authentication. We will just add a quick line of code in the default.aspx page to display the authenticated user's identity. This should be done in the Page_Load event handler of the default.aspx page.

protectedvoid Page_Load(object sender, EventArgs e)

{

Response.Write("Hello, " + Server.HtmlEncode(User.Identity.Name));

}

Run the web site and log in using any existing account on your domain. If the the login is successful, you will be redirected to the default.aspx page, which displays the name of the logged in user. Otherwise, the login control will automatically display login failure message to you.

Manager users with ActiveDirectoryMemebershipProvider

The ActiveDirectoryMemebershipProvider not only provides you with you the capability of authenticating users without writing any code but also allows you to conveniently manage users in ASP.NET as if you were working on the Active Directory. We will demonstrate this by creating a new web form for adding new users. From the Solution Explorer, add a new page called CreateNewUser.aspx, add a CreateUserWizard control to the form once it is generated.

Just like the Login control, nothing needs to be configured for the CreateUserWizard control to work. The ASP.NET reads the web.config file during runtime and it becomes aware of the underlying data source for managing users.

Run the web site again, log into the site this time with a privileged account (we need to be able to create new users). In the browser's address bar, replace default.aspx with CreateNewUser.aspx. Follow the wizard and create a brand new user. Log into the web site one more time with this new account.

First of all thx. What do you mean with the same AD login. You mean I just should check in the OnLoggingIn event if the correct Username is supplied [without password validation] ? The other problem I'm facing right know is that I don't know the connectionstring in advance because the site is deployed on many servers and I don't know these domains in advance. Is there a way to construct the connectionstring somehow dynamically !

Very nice article! I was also gotten this far (with a lot of trial and error). One question though: what do you mean by "if you are running this application in a less flexible environment, you need to obtain an domain account that has sufficient permissions in Active Directory."

What is sufficient permissions? What kind of permissions are needed to authenticate a user?

The user that logs into the domain controller needs to have permissions for querying Active Directory to be able to authenticate users. Consult your network administrator, who should be able to create an account with sufficient priviledges.

Yes Sreenath. Using the "allow users" only works for hardcoded usernames. So what i would do is check the usernames in the Login_LoggingIn event of your Login control and programmatically allow those 5 users to access the web page based on your business rules.
10/8/2008 11:30 AM | Frank Wang

This is a great article I have been looking for a jumping off point like this for a long time. Thanks so much for this example, 3 thingsFirst, do you have any recommendations for Reference material like books or sites that relate to asp.net and Active Directory Management? Second, is there an alternate Download location for the source code? Third, can you limit the login to group membership? If so how would you approach this? Thanks again for this. It’s exactly what I’ve been looking for.
12/2/2008 2:40 PM | TJ

I cant run this code... I read it 5 times. and i repeat again and again the procedures. I am always stuck with the error "System.Web.Security.ActiveDirectoryMembershipProvider"
12/5/2008 1:46 AM | help me

Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Regarding the first posters question, I have a similar need for allowing users to various parts of our intranet site based on their AD account. How do you implement this on specific pages? I'm using master pages with one site.master. I see this growing into a larger site so this will definitely grow. I need to be able to limit access to certain pages/sub-directories based on AD groups or memberships.

This is a nice article. I need something differentand I don't understand how could I do that. In my organization more than 100 users will see my application. All users should have view permission(there are reports and charts - so everyone shouldhas the view permission) but few users (3/4) should have insert,update and delete permission. User should not need to login to the application.From active directory my application will identify if it's read-only user or read-write authenticated user. Is there any way to do that?Need help pls.........
3/16/2009 6:36 AM | Maksuda

Very nice... I got it working without the login.aspx page. I made it completely wide open. No authentication whatsover to create a guest WiFi AD account. I have three issues. First my page is displaying extremely slowly. It takes about one full minute or more to display one single .aspx page. Second, it takes even longer once the submit button is clicked. Third, the username field in AD for pre-2000 is automaticately created randomly with symbols and numbers, etc... Therefore, completely useless, because that's what the Cisco WiFi controller is matching against.

Out of the box ASP.NET MVC forces developers to understand HTML, CSS, and JavaScript. There is little to no abstraction which can be a double edged sword. On one hand your development team has access to the raw power of the markup & languages that make up the web. On the other; if your development team is not experienced with HTML, CSS, and JavaScript there might be a learning curve.
5/25/2009 3:21 AM | ZK@Web Marketing Blog

I've been trying to have a Custom Control ctrlA that inherits script controls and has a property another custom control ctrlB (which inherits script control). How can I achieve it and be sure that the ctrlB is initialized before the "parent" control ?

Blogging is very useful, and your blog in particular has a lot of good tips for me. I currently provide debt relief and your blog had a lot of great info that I could really use!
12/15/2010 6:46 PM | debt relief

he ASP.NET QuickStart is a series of ASP.NET samples and supporting commentary designed to quickly acquaint developers with the syntax, architecture, and power of the ASP.NET Web programming framework. The QuickStart samples are designed to be short, easy-to-understand illustrations of ASP.NET features. By the time you finish reading this tutorial, you will be familiar with the broad range of the new features in ASP.NET 2.0, as well as the features that were supported in earlier versions.RotoShave Review1/10/2011 5:25 PM | RotoShave Review